IETF Logo Mail Archive

Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 May 2016 15:12 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D3C12D16F for <cfrg@ietfa.amsl.com>; Tue, 17 May 2016 08:12:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0a_vIYbw36w1 for <cfrg@ietfa.amsl.com>; Tue, 17 May 2016 08:12:36 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8322012D0B8 for <cfrg@irtf.org>; Tue, 17 May 2016 08:12:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D2085BE2D; Tue, 17 May 2016 16:12:34 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIa-DFk1jqjm; Tue, 17 May 2016 16:12:28 +0100 (IST)
Received: from [10.87.48.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5E680BDF9; Tue, 17 May 2016 16:12:28 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1463497948; bh=9tc99P0A4eSSZyITsZvypl4VAzHUbQJfm+GLPQUKoK8=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=dnLoBiQo+em79h+b2imTqxi1SgbvpUTU+c5Z3eb7XewKQp5iSArR/eoLxbm5upHJ0 PzGIrwgTqNj0rU+K/LKfXu5//N2nYlb/Bu9ZMsV/9kcP5D34MUVfKYgmDnCO2NtMjo i/pKQuU2TDfqvVLnXFPz7xqfZraUkLLY688CxtHY=
To: Russ Housley <housley@vigilsec.com>
References: <D35F6F11.93C3E%paul@marvell.com> <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com> <D35F843A.93C91%paul@marvell.com> <89A44D23-D8A2-4A2F-A94E-6A362FC195C7@vigilsec.com> <573B24ED.70708@cs.tcd.ie> <00A212BA-E86D-4DF5-8987-FA1DF046B634@vigilsec.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <573B34DC.9080103@cs.tcd.ie>
Date: Tue, 17 May 2016 16:12:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <00A212BA-E86D-4DF5-8987-FA1DF046B634@vigilsec.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040601070105020407080503"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9errD1BM01HGq0p_I3z_M6ZQYNs>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 15:12:39 -0000

Hiya,

On 17/05/16 15:51, Russ Housley wrote:
> Stephen:
> 
>> On 17/05/16 14:50, Russ Housley wrote:
>>> I do not speak for NSA.  However, NSA only uses algorithms and
>>> modes that are FIPS-approved.  AES-SIV does not meet that
>>> requirement.  If that happens in the future, then the direction
>>> might change.
>> 
>> I don't speak for anyone:-)
>> 
>> I strongly believe that holding off from making improvements of the
>> basis of FIPS approval/certification is a really bad idea. If a
>> case can be made that the suggested change is less good or no
>> better than the FIPS approved/certified thing, then that is a
>> debate worth having, but waving the FIPS flag is not itself IMO a
>> good counter argument to a claim that some change is an
>> improvement.
> 
> Your comments are beyond the context of the question at the front of
> this thread.
> 
> This thread was about a particular set of IEEE 802.11 ballot
> comments: 
> https://mentor.ieee.org/802.11/dcn/16/11-16-0596-01-00ai-more-counters.docx

Actually, I think my comments are relevant.

All IMO of course, but if IEEE decided to use AES-GCM and not
SIV on sound technical bases, that's fine. If however, IEEE
decided to use AES-GCM and not SIV solely or mostly due to the
FIPS argument, that's bad.

Earlier up-thread, the comment was made that FIPS approval is
a reason to go with GCM here and not SIV. I'm saying that's a
bad argument unless both schemes are otherwise the same in terms
of interesting technical properties.

>
> 
>> And I'd be disappointed if an international organisation of any
>> kind did accept that kind of flag waving.
> 
> I guess that you are disappointed.  I understand that AES-SIV was
> selected over AES-GCM.

That's the opposite of what Peter's submission (in the URL above)
is suggesting. Has that been decided or is it still in play? Peter's
suggested change back to GCM is dated May 15th so I guessed that that
is still in progress.

Anyway, I'd only be disappointed if the decision process was driven
by FIPS approval and not by technical issues. (If there's nothing
to choose between proposals technically, then FIPS approval might be
an ok tie-breaker.)

Cheers,
S.


> 
> Russ
>

v2.23.0 | Report a Bug | By Email